Forum Discussion

Todd_90577's avatar
Icon for Nimbostratus rankNimbostratus
Mar 07, 2012

Portal Access doesn't SSO to Exchange 2010 OWA

I'm running Big-IP v11 and licensed for APM and I'm trying to load balance Exchange 2010 OWA. When I login to the F5 forms-based Portal Access site, it redirects me to OWA, but I get prompted to login to OWA before I can view my webmail. It seems like the single sign-on isn't working.



Also when I'm on a AD domain computer and login to the F5 Portal Access, OWA will not prompt for another login screen and open my webmail instantly. The catch is, no matter what valid AD username/password I use on the F5 portal, it always opens my webmail because I'm logged into my computer on the domain.



Any help would be great!

6 Replies

  • Todd,



    Do you already have a support case open with F5 on this? How is your OWA authenticated? Based on the behavior you described, it appears that you might be using NTLM and/or Kerberos-based authentication for OWA internally instead of forms--based - is that true?
  • Hi Michael,


    My Exchange Engineer viewed the properties of the CAS server and it was set for "Integrated authentication" or "Basic authentication". We switched the CAS server to Forms-based and the SSO worked. However, my Exchange Engineer wants to switch it back to the two previous methods because OWA is working thru the ISA server this way. We are trying to replace out ISA with the F5. Now if I change the F5 SSO, the login will only work using HTTP Basic, but i still get prompted twice to login. Since only the HTTP basic would work (or forms based), it seems to rule out that NTLM or Kerberos is being used. Is there something I'm missing to get HTTP Basic to work with single sign-on?


  • Since the HTTP Basic is in "clear text", I think we're going to stick with the Forms based method on the CAS server.



    Thanks for your help identifying the source of the issue!



  • Todd,



    I hope you don't mind if I take this opportunity to correct a somewhat common misconception. It is true that for Basic auth credentials are passed in cleartext. However, forms-based auth is also being transmitted in clear. What's securing both Basic auth and forms-based auth is the SSL layer - encryption of the POST parameters in SSL and Basic Auth credentials are equivalent to each other in terms of security of the transmitted password. NTLM is obviously a different animal, as the password never crosses the wire.
  • Todd,



    You might sync up with your Exchange engineer and propose a second Exchange IIS site. This can be done on any CAS server and is actually one of Microsoft's supported means of dealing with the need for different INSIDE/OUTSIDE auth needs. The only real requirement is a second IP address for the second site and to unbind the current one from to the current IP. Once done you would point ISA to one site and the F5 to the other.



    Hope that is helpful.



  • Thank you both for the clarification and input. I will take all of these into consideration while attempting to complete this deployment.